A Framework for Cultivating a Culture of Cybersecurity
By Steve I Cooper, CIO, U.S. Department of Commerce and Michael Maraya, Manager-Cybersecurity Operation
In 1943, American psychologist Abraham Maslow formulated a theory of human motivation, the eponymously named Hierarchy of Needs. In his theory, Dr. Maslow suggests that the basic needs of physiology, safety, love and belonging, and esteem must be met before people can reach their full potential. While Dr. Maslow may not have had cybersecurity in mind in 1943 when he listed safety as a need, it could be argued that the human need for safety in the 21st century covers not just our physical person but our digital identities as well.
So how do we, as information technology professionals, ensure the digital safety of our employees so they can reach their full potential? One way is to build on an existing cybersecurity framework to cultivate a culture of cybersecurity.
The NIST Cybersecurity Framework
Through collaboration between the government and the private sector, the Commerce Department’s National Institute for Standards and Technology (NIST) developed a voluntary set of prioritized, flexible, repeatable, and cost-effective industry standards, guidelines, and practices to help organizations manage cybersecurity risk. This framework gives organizations the tools to describe their current and target cybersecurity postures, select areas for improvement, assess progress toward the target state, and communicate cybersecurity risk to stakeholders.
“Together, the framework and culture can give you the technical and organizational tools to empower informed risk-based decision-making at all levels ”
The NIST framework organizes basic cybersecurity activities into five key functions:
1. Identify – understand your organization, its resources, and its threats, vulnerabilities, and risks
2. Protect – take preventive and defensive measures to minimize the probability and impact of cybersecurity events
3. Detect –discover cybersecurity events as quickly as possible
4. Respond – contain and mitigate cybersecurity events
5. Recover – quickly restore services affected by a cybersecurity event
Organizations can build on this framework and its functions for managing cybersecurity risk and tailor it to suit their size, complexity, and risk appetite. At its core, cybersecurity is risk management and your employees, customers, and stakeholders engage in risk management daily, even if they’re not aware of it. This framework gives us the technical foundation for cultivating a culture of cybersecurity.
A Culture of Cybersecurity
Just as cybersecurity must be baked into systems as they’re developed and not bolted on later, cybersecurity must be ingrained into your policies, procedures, processes, and performance measures at every level of your organization before cybersecurity becomes a problem. The formula for this culture of cybersecurity will vary from one organization to another but here are a few concrete actions to consider:
1. Train employees on how to spot phishing e-mails. Phishing e-mails are one of the more common ways cybersecurity incidents are introduced in an organization. Poor grammar, misspelled words, and blatantly fake domain names are a dead give-away for less sophisticated phishing attacks but an increasing number of phishing e-mails now have flawless text and plausible corporate graphics and links. Providing training on a regular basis in person and online has increased awareness and decreased the number of people falling prey to phishing emails in our organization.
2. Give employees the tools to protect themselves. Invest in multi-factor authentication to minimize the likelihood of credential theft, particularly for system administrators and remote users. Encrypt sensitive documents and emails so that only the intended recipients can read them. Provide virtual private networks for your mobile workforce to keep their information safe when using public Wi-Fi hotspots. Implement digital signatures so employees can verify the identity of the sender and confirm that the document or email was unaltered.
3. Empower employees to make risk-based decisions.
Avoid draconian or reactionary policies that add administrative burden but don’t improve risk management. Instead, make employees aware that their actions have an element of cybersecurity risk, arm them with the tools to mitigate the risk, and trust them to make the right decisions.
4. Don’t blame the victim. Cybersecurity incidents are the new normal. Use these incidents as an opportunity to coach employees instead of punishing them for something they may not have had any control over in the first place. We conduct regular internal ‘anti-phishing’ campaigns in which the links embedded in campaign emails take people to our online training, rather than embarrassing them.
5. Make employees stakeholders in cybersecurity. Improving your organization’s resiliency to cybersecurity incidents should not be limited to your security operations team. Solicit input from your employees in preparing for incidents and ask for their feedback after an incident has occurred. They may surprise you with insights your security team may not have even considered.
6. Give your system administrators the time to do things correctly. System administrators are under constant pressure to support new engineering projects while keeping your current systems running smoothly. Applying patches, setting configurations, and keeping your directory services updated sometimes fall to the wayside when new projects come up or when systems go down. Give them the time they need to perform the important-but-not-urgent tasks.
If your organization is struggling to tackle the challenges of cybersecurity in the 21st century, a good place to start is by adopting an approach that combines the NIST Cybersecurity Framework and cultivating a cybersecurity culture. Together, the framework and culture can give you the technical and organizational tools to empower informed risk-based decision-making at all levels of your organization.